Allow use of art as the Android runtime.

system_server and app domains need to map dalvik-cache files with PROT_EXEC. type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file Apps need to map cached dex files with PROT_EXEC. We already allow this for untrusted_app to support packaging of shared objects as assets but not for the platform app domains. type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow use of art as the Android runtime.
527316a2 · Stephen Smalley · 588bb5c7 · 527316a2 · 527316a2 · 527316a2
Commit 527316a2 authored 11 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -152,6 +152,9 @@ allow appdomain self:rawip_socket create_socket_perms;
 allow appdomain usb_device:chr_file { read write getattr ioctl };
 allow appdomain usbaccessory_device:chr_file { read write getattr };
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
 ###
 ### CTS-specific rules
 ###

--- a/platform_app.te
+++ b/platform_app.te
@@ -36,6 +36,7 @@ allow platform_app appdomain:fifo_file write;
 # App sandbox file accesses.
 allow platformappdomain platform_app_data_file:dir create_dir_perms;
 allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+allow platformappdomain platform_app_data_file:file execute;
 # App sdcard file accesses
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;

--- a/system_server.te
+++ b/system_server.te
@@ -8,6 +8,9 @@ permissive system_server;
 # Dalvik Compiler JIT Mapping.
 allow system_server self:process execmem;
+# For art.
+allow system_server dalvikcache_data_file:file execute;
 # Child of the zygote.
 allow system_server zygote:fd use;
 allow system_server zygote:process sigchld;